Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

Researchers from Fortinet FortiGuard Labshas discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

The ransomware poses itself as a “spritecoin” wallet, it asks users to create their desired password, but instead of downloading the block-chain it encrypts the victim’s data files.

The malware asks for a 0.3 Monero ransom ($105 USD at the time of writing) and drops on the target system a ransom note of “Your files are encrypted.”

The malware includes an embedded SQLite engine, a circumstance that leads experts to believe it also implements a credentials harvesting feature for Chrome and Firefox credential store. The malicious code appends the .encrypted file extension to encrypted files (i.e. resume.doc.encrypted).

While decrypting the files, the Spritecoin ransomware also deploys another piece of malware that is able to harvest certificates, parse images, and control the web camera.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr.” reads the report.

“While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

The experts speculate the ransomware is being spread via forum spam that targets users interested in cryptocurrency.

“Ransomware is usually delivered via social engineering techniques, but can also be delivered without user interaction via exploits. These often arrive (but are not limited to) via email, exploit kits, malicious crafted Excel/Word/PDF macros, or JavaScript downloaders.” states the analysis published by Fortinet.

“The attacker often uses social engineering and carefully crafted malicious emails to trick and entice the victim to run these executables. These files are often seen using compelling file names to lure the victim into opening the file. Usually, the ransomware requires some user interaction to successfully compromise the victim’s machine.”

In this case, the threat arrives as a “SpriteCoin” package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet.”

Once installed on the victim’s machine, the malware will present a user with a prompt to “Enter your desired wallet password.”

When the victims provide their credentials the Spritecoin ransomware inform users it is downloading the blockchain, while it is actually encrypting the files.

The ransomware connects to a TOR site via an Onion proxy (http://jmqapf3nflatei35[.]onion.link/*) that allows the victim to communicate with the attacker’s website without the need for a TOR connection.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.